Announcement

Summary

NIST requests comments on SP 800-63-2, Electronic Authentication Guideline. This document describes the technical requirements necessary to meet the four Levels of Assurance (LOA) that are specified in the Office of Management and Budget (OMB) memorandum M-04-04, E-Authentication Guidance for Federal Agencies.

Background

In 2004, NIST published the initial version of Special Publication (SP) 800-63, Electronic Authentication Guideline. Since then, two revisions have been published, the latest of which, SP 800-63-2, was published in August 2013. NIST is considering a significant update to SP 800-63-2 in response to market innovation, evolving federal requirements, and an advanced threat landscape targeting remote authentication.

Several recent developments suggest the need for a possible revision at this time:

Executive Order 13681, Improving the Security of Consumer Financial Transactions, issued by the administration in October 2014, requires “…that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.”

The Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) was published by NIST in February 2014 in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity. The accompanying roadmap cites the need for NIST to “…conduct identity and authentication research complemented by the production of NIST Special Publications that support improved authentication practices.”

The National Strategy for Trusted Identities in Cyberspace (NSTIC), released in 2011, charts a course for both public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transacations through an Identity Ecosystem. NSTIC calls for the Federal Government to “lead by example and implement the Identity Ecosystem for the services it provides internally and externally.” As the Identity Ecosystem starts to take shape, NIST guidelines should reflect and support it.

NIST is soliciting public feedback on this Special Publication to identify areas that industry and government deem most significant for revision. We will review all public comments and make them available on the Computer Security Resource Center (CSRC) website.

Note to Reviewers

To facilitate this review, we have compiled a number of topics of interest to which we would like reviewers to respond. While we would like reviewers to respond to as many of these as they wish, it is not necessary to answer all of them. Furthermore, reviewers should feel free to suggest other areas of revision or enhancement to the document. Recommendations for revisions that are not within the scope of SP 800-63 may be considered; however NIST cannot ensure the recommendations will be included in a potential update.

What schemas for establishing identity assurance have proven effective in providing an appropriate amount of security, privacy, usability, and trust based on the risk level of the online service or transaction? How do they differentiate trust based on risk? How is interoperability of divergent identity solutions facilitated?

Could identity assurance processes and technologies be separated into distinct components? If so, what should the components be and how would this provide appropriate level of identity assurance?

What innovative approaches are available to increase confidence in remote identity proofing? If possible, please share any performance metrics to corroborate increased confidence levels.

What privacy considerations arising from identity assurance should be included in the revision? Are there specific privacy-enhancing technologies, requirements or architectures that should be considered?

What requirements, processes, standards, or technologies are currently excluded from 800-63-2 that should be considered for future inclusion?

Should a representation of the confidence level in attributes be standardized in order to assist in making authorization decisions? What form should that representation take?

What methods can be used to increase the trust or assurance level (sometimes referred to as “trust elevation”) of an authenticated identity during a transaction? If possible, please share any performance metrics to corroborate the efficacy of the proposed methods.